Strange indices


(Tamizharasan) #1



I have already checked these two threads, But they did scanning and other things. But I never did anything. and moreover, i use Nginx for reverse proxy. so it is not open to the internet. I want to know what these indices means. (blazeds, flex2gateway, lcds, messagebroker, webui). Please some one help me with this. Thank You !


(David Pilato) #2

How do you create data? What those indices contain?


(Tamizharasan) #3

Those indices contain nothing. I can't get your question of "How do you create data". But i am sure i never created those indices.


(David Pilato) #4

My question is related to how you are sending your data to elasticsearch. Not related to those indices.

Something/someone is doing

PUT foo

I'm just trying to understand what this could be


(Tamizharasan) #5

I always create a template and create the indices dynamically programmatically. I used to create indices using PUT in kibana console. But I never create a template or indices on those names.


(David Pilato) #6

If you are 100% sure it means that someone else can do this and is doing this. Or you have a bug in your code.


(Mark Walkom) #7

If your cluster has no authentication, then it's probably something internally connecting to your cluster and requesting a URL that doesn't exist, and Elasticsearch thinks it's a request for an index, that also doesn't exist, and so creates it.

This usually happens due to security scan software seeing that the Elasticsearch host has port 9200 open as a HTTP server, and it runs a few checks that does this.


(Jason Tedor) #8

As @warkolm mentions, I have seen security scanning software do exactly this (e.g., Nessus).


(Tamizharasan) #9

But i never installed Nessus in my node.


(Jason Tedor) #10

I think there’s some confusion here. Let me clarify. It doesn’t have to be Nessus, it could be other software. It doesn’t have to be running on your local node (Nessus doesn’t), it could be any machine anywhere in the world that has network connectivity to your Elasticsearch instance.

I’m going to be very clear here: Elasticsearch is not creating these indices without some external process triggering this. Some process is hitting endpoints on your Elasticsearch instance that lead to indices being created. There is nothing inside of Elasticsearch that would do this without an external trigger.

You could tcpdump traffic destined for the ports your Elasticsearch instance is listening on and find where the API invocations that are triggering these are coming from.


(Mark Walkom) #11

Or install X-Pack so you get access control.


(Jason Tedor) #12

That will still not reveal to this user the source of these.


(system) #13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.